Side note to people reading this: in general, when suspecting a scam, don't blindly trust anyone who says "I'm ... and I confirm this is OK". This may be the same very person who you're suspecting of original scam ;). Not a theory, I have cases looks this every other week in my dayjob.
It might ring better for the cypherpunks here that zhovner has verified their HN account ownership with their keybase GPG key, which can only be done by editing an account's profile description to include a specific signature (or by defacing HN / breaching the account). And the same key is also used to prove ownership of their Github account and website.
Idea of Flipper Zero was to lower our guard and trust their company with security, while actually shipping hardware with backdoors -- which the Flipper Zero will, for some reason, not be able to detect.
The Flipper Zero is the backdoor, on the Day of Reckoning everyone's Flipper will emit a signal that will drive people into a murderous rage and detonate all nukes while "zhovner", if that is his real name, hides in a mountain lair with a selection of hand-picked people that he has Chosen to repopulate the earth with. Once the billions have perished, his buddy Musk will launch his fleet of Starships full of handpicked seed ships to spread throughout the solar system and galaxy to spread humanity across the universe like a disease.
More important note to people reading this: use your brain. Is it likely that a scammer will create an extremely professional website and product, and then their scam is that ride the coat tails of another brand and try to keep that scam up with Hacker News comments?
(I think lots of HN people have issues with reality so just in case the answer is: absolutely not.)
Yes, actually. Well, everything except the last point. If you're unfamiliar with UFO 50, it's a recent collection of games inspired by 80s-esque computer game design. The reason why I bring this up is because there's a website (ufo50.net) which is actually fake and completely unrelated to the actual ufo50 site (50games.fun) which is designed to be SEO-bait so that it can absorb traffic from search engines.
Same, except the last point, I feel like I've seen that pattern multiple times. And it's not like it's expensive to do (presumably unless you get sued or something).
Well that's not the same is it? They aren't creating a whole new extremely professional product and just saying "made by OtherBrand"; they just cloned a website (probably using an LLM).
So yes except for the last point, and also the other points...
Yes. Someone had their iphone stolen. They got a text message on their partner's phone from Apple saying that their phone had been located; they followed the link and ended up on a professional, Apple designed website, showing a map pointing to a distant country where the phone was located, and they prompted the user to type in the phone's pin code in order to lock the phone or something like that.
They only caught themselves while halfway filling in the code, and I'm sure that was captured too.
However, the original inventor of the Pomodoro technique explicitly advocates a "low tech" approach - a mechanical kitchen timer, because he argued that the tactile and auditory elements (i.e., the turning moves and ticking sounds) get associated with the elements of the techniques in the human brain.
It would be interesting to evaluate both variants of the approach in a scientific experiment.
This product (1) is not just for Pomodoro and (2) has nice tactile hardware.
I think hardware that can "passively" be more useful with sensors and similar are easy wins. No reason it has to disrupt a timer, it just hides sensors you'd want within a device that would already be sitting out in your home/office.
Ahh, the inevitable slippery slope of feature requests. Making hardware for geeks is a tough business because they’ll always say they’d buy it if it had just one or two more features, but by the time you add all of the feature requests they complain that it’s too expensive.
You can get a good CO2 sensor for less than $50 [1]. For large-batch orders the whole device can be less than $50 [2]. Where are you getting an almost $300 addition to the base price?
I think it should also have NVMe and SFF-8644 for external disk shelves. At least 6x 10GbE, with 4 on SFPs and 2 on copper. A GPU with excellent hardware transcoding, and slotted VRAM for that local LLM fun. Plus an 8k projector for movie nights at the office.
And a pony; every single one of these fucking kitchen timers must also come with a pony.
I think you're missing the obvious play to subsidize the price by making that LLM enabled with a mic and then selling all of that training data. The price could then come down to $19.99.
It looks gorgeous, especially the hardware. I think the typeface on the hardware and the retro busy text could be further refined, but it is very very cool overall.
A version of this that would be useful for WFH or private offices is an 'on air' device that you could mount outside your office door, which means it's not connected to your computer and could potentially run on a battery for a week+ or run on usb power directly.
People want to come in sometimes to access a closet, but they don't know if your in a meeting, so it would also need to detect if your in a meeting, and the microphone being on or off is not enough because people often mute themselves. Calendar access is also not enough because sometimes you start a meeting without a calendar thingy, and also knowing if your 'on air' with an open door can tell them if they have to be worried if they could be on camera if they walk by the door.
It could be a very simple LED, it just needs a good agent on your desktop. Also a 'yellow light' for an upcoming meeting in a couple minutes (so this is where calendar access is useful) or an orange light for camera & microphone off.
I'd love for this thing to be feature-flexible enough to use it for the exact opposite: running TV/screen/videogame timer for the kids!
Looks great, love the dial/switch big button combo, and the opportunity to buy something attractive that's a "hackable screen with buttons" is very high for me.
Another likely use is to be a controller for audiobooks or music in our rumpus if I ever get a hold of one. Again, drivable by kids and oldies who visit is a huge plus.
Funnily, the way I used to check Keybase profiles is to check Twitter because a blue checkmark there was usually a good indication of them being "the famous person" but thanks to Twitter Blue that feature is no longer usable.
I understand Keybase allows you to link up a bunch of accounts, but it doesn't prevent you from making all of those accounts say you are the CEO/CTO of some company unfortunately.
> but it doesn't prevent you from making all of those accounts say you are the CEO/CTO of some company unfortunately
At least a GitHub profile link can usually be used to validate that this account actually has write access to a GitHub organization, so you can somewhat see it's the right person. Requires them to have pushed any public commits to within that organization though.
> What are the odds of a kit version woth a lower pricetag and some assembly required?
Or even better, a version that ships with everything besides "the brain" and allows us to use our Flipper Zero as the brain :) Looking at the old blog articles about the project, it seems it got started with using Flipper Zero as the brain, so maybe it's not that far-fetched.
>The attacker managed to issue multiple SSL/TLS certificates via Let’s Encrypt for jabber.ru and xmpp.ru domains since 18 Apr 2023
Why is it even possible to issue more than 1 certificate on the same domain via Let’s Encrypt? Shouldn't the previous certificate be revoked when a new one is issued?
It's fairly common for people to obtain multiple certificates for different machines or services, so they can be selectively revoked and they don't have to share keys across machines.
More use-cases:
- You might obtain a new certificate, but deploy it gradually, so you want the old one to remain valid while you do that.
- One certificate may cover different sets of domain names. If you have a certificate for "example.com, foo.example.com" and then request a certificate for only "foo.example.com", should the earlier one be revoked? (leaving "example.com" without a certificate).
> Why is it even possible to issue more than 1 certificate on the same domain via Let’s Encrypt?
it commonly used in a "normal" way all the time
- e.g. when there are multiple data-center for the same domain (e.g. using geo-location based routing) it's a good practice to give them different certs so that if you need to revoke one the operation in other regions is unaffected
- or when rolling over from on cert to another
- or when moving certs into hardware security keys/module (HSK) you preferably do have one per HSK (so that if e.g. hardware breaks and gets replaced you can just revoce the cert for the affected HSK module not all of them), you also normaly do not keep backups to make sure it can't be leaked at all (as long as the HSK isn't hacked which is normally quite hard)
- or losing access to a cert (e.g. in the case above a HSK breaks)
Lastly the whole CA system is in the end designed to provide good security for the industry while having the backdoor of issuing certs the legal organs to allow the police some degree of wiretapping (oversimplified, it's slightly more complex then that).
You should always have more than a single certificate for your domain honestly.
Cloudflare for example, tries to optimize certificate delivery (and have backup certificates available for you just in case a CA needs to revoke theirs).
Also, on distributed systems its less safe to share private keys between the various frontends.
This is actually a great suggestion and ACME providers should provide it as an opt-in feature via CAA record. Not even the provider having access to system memory could issue a mitm cert without you noticing.
You could sync certificates across hosts for this purpose, though. The advantage of multiple certificates is being able to revoke a subset of certificates if you can determine only a subset of your hosts have been compromised.
you could, but unfortunately the LE certs have a very short lifetime, and renewals are a thing
so you need a master server to handle the renewals, periodic sync, and to handle the case when the master goes away
this would be considerably more complicated than having a second independent certificate (assuming you've automated the entire frontend provisioning process)
> Why is it even possible to issue more than 1 certificate on the same domain via Let’s Encrypt? Shouldn't the previous certificate be revoked when a new one is issued?
First, you want to have to have some leeway so you don't need to rotate certs at exact second the old one expires
Second, you might want to have cert-per-server rather than cert-per-domain, as that's frankly easier to implement vs having common store for certs+key
I do not recommend you to buy overprice lots on eBay. We will open sale for wave 3 very soon. Leave your email on wait list here https://shop.flipperzero.one and you will be notified.
I was a backer and have received mine, thanks for all of the hard work! I am curios, now that you have the tooling and partnerships established, what is the turn around on a new wave of flippers?
Right now, we are working on implementing Matter smart home protocol and will slightly change the product concept.